[Snort-users] Automatically block IP on firewall box from snort IDS

beenph beenph at ...11827...
Tue Sep 18 13:31:51 EDT 2012


On Tue, Sep 18, 2012 at 1:10 PM, Joel Esler <jesler at ...1935...> wrote:
> I haven't used barnyard2 in years, but it is my understanding, and I'd like
> to see beenph comment on this thread that Snortsam's functionality has moved
> into the barnyard2 codebase.  It may be in the git master build (not yet
> rolled into an official release)
>

I have never tested the plugin which was originay written by Frank
Knowbles and Integrated in by2 by Firnsy
Its part of by2 since 2-1.9.

>From what i understand the plugin will communicate with the snortsam
agent and the agent will dispatch
the blocking mechanism based on how it is configured.

I will snip part of the info found in the conf file and in code comment.

/*
 * Purpose:
 *
 * This module sends alerts to a remote service on a host running SnortSam
 * (the agent) which will block the intruding IP address on a variety of
 * host and network firewalls.
 *
 * SnortSam also performs checks against a white-list of
never-to-be-blocked IP addresses,
 * can override block durations (for example for known proxies), and
can detect attack conditions
 * where too many blocks are received within a defined interval. If an
attack is detected
 * it will unblock the last x blocks and wait for the attack to end.
 *
 * See the SnortSam documentation for more information.
 *
 *
 * Output Plugin Parameters:
 ***************************
 *
 * output alert_fwsam: <SnortSam Station>:<port>/<key>
 *
 *  <FW Mgmt Station>:  IP address or host name of the host running SnortSam.
 *  <port>:         Port the remote SnortSam service listens on (default 898).
 *  <key>:              Key used for authentication (encryption really)
 *              of the communication to the remote service.
 *
 * Examples:
 *
 * output alert_fwsam: snortsambox/idspassword
 * output alert_fwsam: fw1.domain.tld:898/mykey
 * output alert_fwsam: 192.168.0.1/borderfw  192.168.1.254/wanfw
 *
 *
 * sid-fwsam Parameters:
 ***********************
 *
 * <sid>:   who[how],time;
 *
 *  who: src, source, dst, dest, destination
 *          IP address to be blocked according to snort rule (some rules
 *          are reversed, i.e. homenet -> any [and you want to block any]).
 *          src denotes IP to the left of -> and dst denotes IP to the right
 *
 *  how: Optional. In, out, src, dest, either, both, this, conn, connection
 *          Tells SnortSam to block packets INcoming from host,
OUTgoing to host,
 *          EITHERway, or only THIS connection (IP/Service pair).
 *          See 'fw sam' on Firewall-1 for more information.
 *          This option may be ignored by other plugins.
 *
 * time: Duration of block in seconds. (Accepts 'days', 'months', 'weeks',
 *       'years', 'minutes', 'seconds', 'hours'. Alternatively, a value of
 *       0, or the keyword PERManent, INFinite, or ALWAYS, will block the
 *       host permanently. Be careful with this!
 *          Tells SnortSam how long to inhibit packets from the host.
 *
 * Examples:
 *
 * 1487: src[either],15min;
 * 1292: dst[in], 2 days 4 hours
 * 1638: src, 1 hour
 *
*/

-elz




> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> On Sep 18, 2012, at 7:15 AM, Pratik Narang <pratik.cse.bits at ...11827...>
> wrote:
>
> Isnt Snortsam functionality already there in Barnyard2 ??
>
>
> On Tue, Sep 18, 2012 at 4:41 PM, Kevin Ross <kevross33 at ...14012...>
> wrote:
>>
>> Use snortsam for this http://www.snortsam.net/
>>
>> Regards,
>> Kevin
>>
>>
>> On 18 September 2012 10:40, ML mail <mlnospam at ...131...> wrote:
>>>
>>> Hello,
>>>
>>> I have a network configuration where I run snort separately on a
>>> dedicated Linux box and have therefore another OpenBSD box which is
>>> dedicated to the firewall task. Now because these two security tasks are not
>>> on the same physical machine I was wondering how can I automatically block
>>> on my OpenBSD firewall specific events which happens on my snort box?
>>>
>>> For example, I see some brute force SSH login attemps to my network
>>> coming from a specific external IP. Here I would like to block that external
>>> IP on my OpenBSD firewall for let's say 1 hour. What would be the best
>>> solution to do that?
>>>
>>> Thanks for your suggestions.
>>>
>>> Best,
>>> ML
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list